scalable vpn remote access - cisco · in 2001 cisco’s dsl provider filed bankruptcy. cisco® it...
TRANSCRIPT
© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 1
Scalable VPN Remote AccessHow Cisco IT Provides Secure and Flexible Remote Access for Mobile Employees and Home Offices
A Cisco on Cisco Case Study: Inside Cisco IT
© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 2
Overview
ChallengeIn 2001 Cisco’s DSL provider filed bankruptcy. Cisco® IT had to migrate 9000 remote access users to a new service within one month.
SolutionMigrate from the service provider managed service model to a “user”managed model based on a software VPN client.
ResultsToday users can access the corporate network from any location that has a public Internet connection. Usage has almost tripled.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 3
Overview (Contd.)
Next StepsCisco IT is improving the current remote access service by expanding the number of VPN gateways, providing faster upgrades, and making use of better encryption and data compression software.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 4
History - Incomplete Coverage – 1999
With the growth of the Internet and the advent of broadband access available to homes, IT started working with various service providers and multisystem operators (MSOs) to provide broadband access to homes
Biggest challenge: Multiple vendors, incomplete coverage
Our goal was to provide the best service to the most employees at a reasonable cost to Cisco®.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 5
History - Incomplete Coverage – 1999(Contd.)
Rhythms NetConnections was selected to provide private xDSL connectivity for Cisco remote access users within the United States
The Rhythms DSL service was effectively a "private" DSL service offering direct virtual circuit connectivity into the Cisco corporate intranet.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 6
Challenge - Remote Access Crisis
August 2001: Rhythms Net Connections filed for bankruptcy; more than 9000 employees depended on the DSL service Rhythms provided
The remote access team faced migrating 9000 users in a single month.
IT knew from experience that migrating to other standard remote access services like ISDN or another managed DSL service would be costly, and take more than 10 times their available staff
© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 7
Solution - VPN Solution
The remote access crisis forced IT to consider other options, and to accelerate our migration to a software client VPN solution
IT reviewed different options and selected a new modelUser-managed services based on a software client VPN
User would be responsible for providing their own best-available connectivity to the Internet
Cisco® would reimburse remote access charges as needed
Cisco IT would provide and support VPN connectivity from the Internet gateway to the Cisco corporate network
© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 8
Solution - Business Issues with RemoteAccess
Client productivityHigh-speed remote access means that employees can perform almost all work functions from home or while traveling. For many employees this translates to an additional 10 to 40 percent productivity per day.
Client satisfactionEmployees find it much easier to balance their work and home lives with high-speed remote access, and this improves morale and makes it easier to retain valuable employees. In 2001 Cisco® had 9000 DSL users and in 2003 Cisco had more than 23,000 VPN users.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 9
Solution - Business Issues with Remote Access
GlobalizationA global company must enable its global employees to work together effectively.Due to differing time zones, someemployees have to host or attend conference calls at all times of the day.The VPN service connects employees at highspeeds to the corporate intranet, letting them work from any location and at any time, much more conveniently.
FlexibilityRemote access provides added flexibility during a crisis and also for everyday activities.
Manual supportBecause almost all Cisco employees provide their own broadband VPN remote access service, we do not do installations or service callsand we do not do bill reconciliation.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 10
Solution-Business Issues with RemoteAccess
SecurityNow that we have migrated to an Internet VPN access service, we do not have to close their Internet service account; the ex-employee can choose to do it if they want. We only have to close an ex-employee's access from the Cisco authentication, authorization, and accounting (AAA) server, which we can do in less than 24 hours, to keep them from accessing the Cisco internal website.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 11
Solution-Business Issues with RemoteAccess (Contd.)
CostThe cost to provide user-managed VPN service is about half the cost to provide Cisco IT-managed high-speed access service.
The cost to each Cisco employee for Internet access depends on their location and the type of Internet access available in their area (access types can include ISDN, DSL, cable, or leased lines), but it still remains about half the cost of DSL access provided by Cisco.
Users select the best-possible service at their locations, providing more flexibility than an IT-selected service could offer.
Cisco reimburses employees, when possible, up to a preset limit.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 12
Solution-Network Architecture and Design
© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 13
Results - VPN Concentrator Locations
© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 14
Results - Summary
Internet-based broadband VPN has become a popular, widely used productivity-enhancing tool within Cisco®
Today users can access the corporate network from any location that has a public Internet connection. Currently, about 23,000 registered users worldwide use the VPN client.
Cost savingsBy migrating to VPN, Cisco IT was able to significantly reduce the per-user costs associated with providing remote access. In addition, Cisco IT was able to significantly reduce staff overhead dedicated to installing and servicing remote access end-user equipment.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 15
Next Steps - Summary
Expansion of serviceLocations currently being considered for VPN gateway service are Singapore; Bangalore, India; and Beijing, China
Faster upgradesGoing forward with Cisco® VPN Client Version 3.6, IT will use the Microsoft installer version of the software, which will significantly reduce the time involved in quality assurance testing and rollout of a new version of VPN software.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 16
Next Steps – Summary (Contd.)
Better encryptionCisco VPN Client Version 3.6 also supports the Advanced Encryption Standard (AES), which Cisco IT and Cisco Information Security are evaluating as an alternative to 3DES encryption.
Data compressionCisco IT is evaluating several compression techniques for providing better throughput with lower-bandwidth VPN service.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 17
Next Steps - Summary
Hardware client for home officeHome office users are trying various forms of hardware VPN clients, including the Cisco® 831 Ethernet Broadband Router.
Voice and video over VPNCisco IT is piloting voice and video over the broadband VPN linkfrom home offices, customer offices, and from hotels.
Extranet connectionsRemote access VPN is being evaluated to provide secure connectivity to extranet partners in small sites. Cisco IT is planning to use the Group Lock feature of the Cisco VPN 3060 Concentrator, which allows Cisco IT to create multiple VPNs and ensures that each user is limited to connecting only to their appropriate VPN.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 18
Next Steps - Summary
Wireless vendor supportCisco® IT is evaluating wireless VPN technology to provide "anytime and anywhere" access to the highly mobile sales and marketing employees.
PDA supportCisco IT is investigating personal digitalassistant (PDA) software packages that supportIP Security standards for use as VPN client endpoints. PDAs with wireless support will allow Cisco employees a greater degree of mobility than is available today.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 19
Next Steps - Summary
SSL supportCisco IT will evaluate the Secure Sockets Layer (SSL)-based VPN client functions that will be supported later this year. Cisco IT wants to be able to provide secure and authenticated VPN connectivity to all Cisco employees who have access to a browser supporting SSL, without requiring the installation or use of a separate VPN client.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 20
A Complete VPN Solution
Offer a complete VPN solution, and meet the needs of your business customers today
© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 21
To read the entire case study, or for additional Cisco IT case studies on a variety of business solutions, visit Cisco on Cisco: Inside Cisco IT
www.cisco.com/go/ciscoit